Surplus to requirements?

Security solutions|~||~||~|The second part of NME’s survey takes an in depth look at the region’s attitudes towards network security and discovers that despite the continued hype surrounding security products and trends, there are still lessons to be learned and certain naiveties to be overcome.

Despite an increasing number of security vendors and consultancies moving into the local market, 7% of respondents revealed they had no security products in place on their network. While this may not seem an alarmingly high number, security bodies warn that enterprises or even individuals with no security products in place are opening themselves up to various viruses and vulnerabilities.

“Everyone should have the minimum of a personal firewall and antivirus. Corporately a similar stance should be taken,” says Dean Bell, managing director, Scanit Middle East.

Most vendors concur that the 7% is probably a truthful figure, although there is some disagreement about how many products users need to deploy in order to consider themselves secure. Some vendors argue that enterprises that are not connected to the internet face fewer risks as they are less likely to download viruses or have their network sniffed by outsiders, and that users who only log on sporadically to the web may get away with just antivirus software.

“If they are not an internet/public facing infrastructure company and connect occasionally to the internet then antivirus software does offer some protection against the Trojans and worms that embed themselves into malformed messages and HTML code,” explains Bell.

For most companies, antivirus products are commonly the first step in attempting to secure their network and users. This is a view somewhat supported by NME’s survey findings with 26% of participants only having installed an antivirus solution.

“I’m sure that from the other 93% [that have network security products] there isn’t a large percentage that have all the components. You probably have a large percentage that have only antivirus or firewalls, so they are not secure,” comments Adham Maghraby, regional director, sales & marketing, Internet Security Systems (ISS), Middle East.

Kevin Isaacs, Symantec’s regional director for Middle East & Africa, also agrees that antivirus software is often given greater importance than it should and, crucially, it fails to protect against the most common security threat. “People that say they are not on the internet are blissfully ignorant about the realities that they are facing. It is a known fact that most threats come from inside the organisation,” he explains.

As such, vendors advise enterprises to deploy a host of different products to secure their network; these include intrusion detection systems, perimeter and embedded firewalls and antivirus solutions.

While 22% of respondents to NME’s survey claimed to have all these components in place, a further 37% have a combination of these solutions deployed within their network.

Vendors also advise enterprises that have a combination of security solutions to install a centralised management suite to monitor and prioritise security events, as well as automatically install antivirus updates or patches. Consequently, integration of these solutions is becoming a priority among enterprises, while security vendors are rolling out management platforms.

“This year ISS launched the Fusion module on our management software and what it does is basically correlate information from the multiple devices on the network. If users have multiple products and they are all logging events and attacks on the network, the Fusion module identifies these events and the devices they are coming and understands which are high risk, false positive or not important, and it does this automatically,” comments Maghraby.

||**||Policy protection|~||~||~|Despite many enterprises investing in some form of security products, and a recent Symantec survey revealing that there were fewer attacks in the last six months of 2002, Isaacs warns that the nature of these threats has become more serious, while awareness levels in the Middle East remain below par.

“The number of attacks in the last six months of 2002 actually reduced, but the number of vulnerabilities has increased dramatically, so the potential for major attacks is increasing all the time,” he comments.

“And the biggest problem that we have in the Middle East is this ‘It won’t happen to me’ attitude... There is a certain apathy [towards security] based on the fact that we are perceived to be so far away from the rest of the world,” continues Isaacs.

ComGuard’s marketing director, Daniel Nufer concurs with this opinion and suggests that the results of NME’s survey could have been different if there had been a high profile security attack in the region prior to the online poll.

“The unfortunate reality is that awareness and interest in security tends to boom in the aftermath of a major disaster or high-profile security breech, and then fade away shortly afterwards,” he explains.

Despite the tendencies of vendors to blame end users for their naivety, Justin Doo managing director of Trend Micro, Benelux, Middle East & Africa, says that vendors must accept some degree of blame and look to educate the regional market about security vulnerabilities, rather than just targeting sales opportunities.

“If people want to point the finger at a region and say there is lack of awareness, they also have to look within and see how much they are doing to get that information out and what efforts they are undertaking to educate people,” he states.

Doo also suggests that the predominance of small-to-medium sized businesses (SMBs) in the local market poses a challenge to vendors and consultants in driving home security messages.

“One of the challenges we all face as an industry in the Middle East is the very large SMB population… The inherent problem with this is that while we can drive education into those businesses and highlight to the owners, directors and managers of those businesses that they need to have security training or even security, most of those SMBs don’t have a physical IT manager who sole task it is to look after their network security,” he explains.

However, as security vendors and consultants look to drive awareness within the local market, their focus is not on products or devices, but on policies. Analysts agree that the starting point for any enterprise in securing their network is the creation of a corporate security policy that governs everything from passwords to training.

“What they [enterprises] need to have is not security products but a security strategy. If these survey respondents have told you that they don’t have any security products, but they are conscious from a strategic perspective I am perfectly alright with that,” comments Jean-Louis Previdi, senior vice president & service director, global networking strategies, Meta Group.

While vendors might not be so liberal in their approach and regard products as an important tool in the fulfilment of policies, they all agree that merely deploying security products in an ad hoc or ungoverned manner is no guarantee of a secure network.

“We call it the three Ps — people, process, and products. Products are the end game — they are the tools,” says Symantec’s Isaacs.

However, these policies must be tied into the training and people issues within a company. After all, there is no point introducing a policy if users don’t know about it or understand it and, equally, if these policies are not monitored and enforced there effect is again diminished.

“Enterprises will always have the core people at the bottom that have to access and use IT as part of their job although it is not something they would choose to do. Enforcing a policy at that level can be extremely difficult because it doesn’t have any importance to them,” cautions Doo.

||**||Security training|~||~||~|Security trainingWhile enterprises grapple with the policies/products debate, security vendors and consultancies are attempting to raise awareness and education levels by introducing training courses and awareness road shows. The likes of Scanit and ISS are offering a host of product specific and generic security courses, while Symantec is extending its training facilities around the region. “We have just appointed a training partner in Saudi called Synoptics and we are negotiating with another partner in Egypt to set up a training centre,” says Isaacs

Security is also topping the agenda with the region’s training companies, which are expanding their course portfolios to incorporate the topic. Additionally, Trend Micro is investing in educating its channel to ensure that it is capable of transferring knowledge to customers and end users. “Once we have the channel certified we will be looking at delivering certification and training to our customers,” says Doo.

Despite the investment and hype surrounding security courses and training, enterprises and individuals still seem largely ambivalent to the need for security education. An overwhelming 86% of respondents to NME’s survey revealed that they had no security certifications. Although some vendors expressed surprise at this figure, others suggest that it can again be attributed to the somewhat naive approach to security of enterprises and their failure to recognise the importance of having trained security staff.

“Most companies today in the Middle East are jumping on the bandwagon of connectivity and that is opening up vulnerabilities. But the problem is with their IT staff… Information security is a knowledge base that is quite specialised, you can have someone who has graduated in computer science from university and he might know a few knowledge points about security, but he doesn’t know how to deal with it, what to do if his network is being attacked, or how to develop a policy,” comments ISS’ Maghraby.

However, security vendors advise enterprises and individuals to invest in security training and certifications for the correct reasons, and not merely to add an additional line to their CV or attain so-called paper certifications.

“Another question to ask is why do people look towards certification and to what level are they certified and with which type of organisation? Is it just to have something on their CV, or is it because they are committed to their organisation and want to ensure the integrity of their environment?” cautions Bell.

Despite these concerns and the seeming apathy towards security certifications, vendors and analysts predict increasing demand for such training and suggest the figure (86%) could be attributed to a number of factors, including the immaturity of the market.

“This is the only area where we’re expecting the percentage of certified people to improve substantially. People will go for training and certification in order to make sure that their business is quite safe,” comments Meta Group’s Prevedi.

Additionally, local vendors say that enterprises are beginning to realise the importance of having a dedicated security manager in the IT team. Although many of the larger regional organisations have employed individuals for the role, Doo says that demand for such staff is currently outweighing the supply.

“I can name a dozen companies here in the Middle East that are desperately searching for security professionals, not to do just simple installations, but people that can actually manage solutions, security needs and policies,” adds Isaacs.

Furthermore, enterprises are beginning to realise the distinction between a security officer and a systems administrator, and with this comes a recognition that the two have very separate tasks to undertake. Additionally, the security manager must have a certain degree of independence from the IT department in order to provide impartial judgements on security vulnerabilities and progress of a company.

“In the past couple of years the market has started to realise that a systems administrator is not a security administrator. The systems administrator is there to make sure the network is functioning properly and that everything and everyone is getting where they want to go. The security administrator is making sure that the network is not vulnerable to hackers, that there are no Trojan horses running around, and that there’s no information being tunnelled out of the network,” says Maghraby.||**||